By Peter Baumann, CEO
The May 25th deadline for GDPR (General Data Protection Regulation) compliance is approaching fast. Unfortunately, despite the months of advance warnings about the coming legal requirement, studies show that more than half of the companies across the US and UK will not be ready. Even the threat of severe, multi-million dollar fines hasn’t compelled many organizations to launch GDPR initiatives.
At Legaltech in New York earlier this month, we had conversations with more than 25 different businesses, based primarily in the U.S., but with a footprint in Europe. Every one of them is facing a GDPR challenge, yet only a handful of them could articulate a coherent GDPR strategy.
One study by an international law firm, which surveyed general counsel and chief security officers, found that:
- Only 43% of companies are setting up an internal GDPR taskforce
- One third say they are hiring a third-party to conduct a GDPR gap analysis
- Only one in three is hiring a third-party consultant or counsel to assist with compliance (33 per cent in the UK, 37 per cent in the US).
Here’s the thing: Even if you are doing all of these things, your company is still likely to fall short of GDPR compliance. Well short. Why?
There are any number of reasons that companies give for not launching a comprehensive GDPR strategy. Following are the most common myths we’ve found in our work with companies worldwide that prevent them from taking pre-emptive action, and likely doom their GDPR projects to failure:
- Myth: “GDPR? That’s IT’s job.”
Reality: GDPR is not an IT issue, it’s a business Companies that fail to make GDPR a strategic priority are not only putting their businesses at risk for fines and legal action, they are at risk of losing their customers, their brand reputation, and revenue, to competitors with better data governance practices. - Myth: “We already have cybersecurity.” Organizations believe that GDPR is primarily a security issue: As long as they don’t get hacked, they think they’re ok.
Reality: GDPR compliance must begin with good data governance practices. Cybersecurity measures will not put you in compliance with GDPR. Oh, and by the way, you are likely to get hacked, then what!? - Myth: Our Marketing (or Finance, Legal, etc.) department is addressing it.
Reality: While marketing departments do collect personal information about customers and are likely busy tightening their opt in rules, GDPR compliance is not limited to any one department. It spans organizations and all communications your company has with the world, including customers, partners, employees and much more. - Myth: It’s just too complicated. We have no idea what to do, so we haven’t done anything.
Reality: This one isn’t exactly a myth – GDPR is complicated! Unfortunately, as in traffic tickets, pleading ignorance won’t save companies from the consequences of non-compliance. - Myth: There’s just too much data. We don’t even know what we have!
Reality: This is true if you are taking a manual approach to sifting through files. Hiring a consultant to analyze your data by whiteboarding simply isn’t going to cut the mustard.
This last point is critical. Even medium-sized enterprises have far more data than they can analyze manually. You could hire an army of GDPR specialists, and it would take years just to identify and categorize your company’s files. For example:
- The average large enterprise uses over 1000 cloud services.
- 94% of these cloud services are not considered enterprise-ready, generally meaning that they don’t implement enough controls to enforce enterprise-level security and compliance requirements.
Does that mean companies should give up on GDPR compliance? Of course not!
A problem largely created by technology can also be solved by technology, as long as it’s applied with best and well proven practices. There are dozens of tools on the market created for the purposes of analyzing and identifying enterprise data. However, there’s a big difference between secondary market tools, i.e. tools developed primarily to address another market segment such as DLP and eDiscovery which are very different to comprehensive file analysis solutions that are specifically developed to prepare you for the challenges of good information governance.
GDPR compliance is too important an issue to leave to chance, it demands a comprehensive, strategic approach that ensures compliance, reduces your risk and positions you as a brand that cares about information governance.
Ensuring compliance with GDPR may not be easy, but it’s necessary and worthwhile. More importantly, it’s entirely within your reach, given the right tools and partner.
In my next post, I’ll talk about the key requirements of a sound information governance strategy, and the capabilities you should look for in an IG solution.